摘要
运维安全管理设备中的“命令过滤”功能只能过滤黑名单中的恶意代码,而无法有效识别并阻止使用特殊方法绕过该功能的行为。针对这一问题,提出了一种基于随机森林的算法,可以准确识别含有恶意代码的命令执行语句。首先,介绍了四种命令混淆绕过方法,它们用来规避黑名单中的关键词并进行命令执行。然后,为了解决这些风险,在模型的特征选择阶段将命令混淆代码纳入考虑范围,利用多种特征对模型进行训练并调整特征权重,以提高模型检测中对使用命令混淆攻击的识别率和准确度。实验结果表明,该方法能够及时识别并应对命令混淆攻击,从而更好地保证服务器安全运行。
The"command filtering"function in operation and maintenance security devices can only filter malicious code in the blacklist,and cannot effectively identify and prevent the use of special methods to bypass this function.To address this problem,this paper proposes an algorithm based on random forest,which can accurately identify command execution statements containing malicious code.Firstly,this paper introduces four methods of command obfuscation bypass,which are used to evade keywords in the blacklist and perform command execution.Then,in order to solve these risks,the command obfuscation code is taken into ac-count in the feature selection stage of the model,and various features are used to train and adjust the weights of the random forest model,so as to improve the recognition rate and accuracy of the model detection for adding command obfuscation attacks.The ex-perimental results show that the method proposed in this paper can timely identify and deal with command obfuscation attacks,thus better ensuring the secure operation of servers.
作者
戚臻彦
孙永清
Qi Zhenyan;Sun Yongqing(The Third Research Institute of the Ministry of Public Security,Shanghai 200030,China)
出处
《网络安全与数据治理》
2023年第6期66-70,共5页
CYBER SECURITY AND DATA GOVERNANCE
关键词
命令混淆
运维管理设备
随机森林
网络安全
command obfuscation
operation and maintenance management equipment
random forest
network security